the dark side of the web an open proxy s view
Download
Skip this Video
Download Presentation
The Dark Side of the Web: An Open Proxy’s View

Loading in 2 Seconds...

play fullscreen
1 / 24

The Dark Side of the Web: An Open Proxy’s View - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

The Dark Side of the Web: An Open Proxy’s View. Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University. Origins: Surviving Heavy Loads. Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The Dark Side of the Web: An Open Proxy’s View' - arion


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the dark side of the web an open proxy s view

The Dark Side of the Web:An Open Proxy’s View

Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson

Princeton University

origins surviving heavy loads
Origins: Surviving Heavy Loads
  • Surviving flash crowds, DDoS attacks
  • Absorb via massive resources
    • Raise the bar for attacks
    • Tolerate smaller crowds
    • Survive larger attacks
  • Existing approach:

Content Distribution Networks

CoDeeN Security - HotNets II

building an academic cdn
Building an Academic CDN
  • Flash crowds are real
  • We have the technology
    • OSDI’02 paper on CDN performance
    • USITS’03 proxy API
    • PlanetLab provides the resources
  • Continuous service, decentralized control
  • Seeing real traffic, reliability, etc
    • We use it ourselves
    • Open access = more traffic

CoDeeN Security - HotNets II

how does codeen work
How Does CoDeeN Work?
  • Server surrogates (proxies) on most North American sites
    • Originally everywhere, but we cut back
  • Clients specify proxy to use
    • Cache hits served locally
    • Cache misses forwarded to CoDeeN nodes
      • Maybe forwarded to origin servers

CoDeeN Security - HotNets II

how does codeen work1

Cache miss

Response

Request

Cache Miss

Cache hit

Cache miss

Response

Cache hit

Request

Response

How Does CoDeeN Work?

origin

CoDeeN Proxy

Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector

CoDeeN Security - HotNets II

steps for inviting trouble
Steps For Inviting Trouble
  • Use a popular protocol
    • HTTP
  • Emulate a popular tool/interface
    • Web proxy servers
  • Allow open access
    • With HTTP’s lack of accountability
  • Be more attractive than competition
    • Uptime, bandwidth, anonymity

CoDeeN Security - HotNets II

hello trouble
Hello, Trouble!
  • Spammers
  • Bandwidth hogs
  • High request rates
  • Content Thieves
  • Worrisome anonymity

Commonality: using CoDeeN to do things they would not do directly

CoDeeN Security - HotNets II

the root of all trouble

No End-To-End

Authentication

The Root of All Trouble

CoDeeN Proxy

http/tcp

http/tcp

origin

(Malicious) Client

CoDeeN Security - HotNets II

spammers
Spammers
  • SMTP (port 25) tunnels via CONNECT
    • Relay via open mail server
  • POST forms (formmail scripts)
    • Exploit website scripts
  • IRC channels (port 6667) via CONNECT
    • Captive audience, high port #

CoDeeN Security - HotNets II

attempted smtp tunnels day
Attempted SMTP Tunnels/Day

CoDeeN Security - HotNets II

bandwidth hogs
Bandwidth Hogs
  • Webcam trackers
    • Mass downloads of paid cam sites
  • Cross-Pacific traffic
    • Simultaneous large file downloads
  • Steganographers
    • Large files small images
    • All uniform sizes

CoDeeN Security - HotNets II

high request rates
High Request Rates
  • Password crackers
    • Attacking random Yahoo! accounts
  • Google crawlers
    • Dictionary crawls – baffles Googlians
  • Click counters
    • Defeat ad-supported “game”

CoDeeN Security - HotNets II

content theft
Content Theft
  • Licensed content theft
    • Journals and databases are expensive
  • Intra-domain access
    • Protected pages within the hosting site

CoDeeN Security - HotNets II

worrisome anonymity
Worrisome Anonymity
  • Request spreaders
    • Use CoDeeN as a DDoS platform!
  • TCP over HTTP
  • Non-HTTP Port 80
    • Access logging insufficient
  • Vulnerability testing
    • Low rate, triggers IDS

CoDeeN Security - HotNets II

goals real otherwise
Goals, Real & Otherwise
  • Desired: allow only “safe” accesses
  • Ideally
    • An oracle tells you what’s safe
    • “Your” users are not impacted
  • Open proxies considered inherently bad
    • NLANR requires accounts, proxy-auth
    • JANET closed to outsiders
  • No research in “partially open” proxies

CoDeeN Security - HotNets II

privilege separation

Remote

Client

Unprivileged

Request

Local

Client

Privileged

Request

Privilege Separation

Remote

Proxy

Local

Proxy

Local

Server

CoDeeN Security - HotNets II

rate limiting
Rate Limiting

Minute

  • 3 scales capture burstiness
  • Exceptions
    • Login attempts
    • Vulnerability tests

Hour

Day

CoDeeN Security - HotNets II

other techniques
Other Techniques
  • Limiting methods – GET, (HEAD)
    • Local users not restricted
  • Sanity checking on requests
    • Browsers, machines very different
  • Modifying request stream
    • Most promising future direction

CoDeeN Security - HotNets II

by the numbers
By The Numbers…
  • Running 24/7 since May, ~40 nodes
    • Over 400,000 unique IPs as clients
    • Over 150 million requests serviced
    • Valid rates up to 50K reqs/hour
    • Roughly 4 million reqs/day aggregate
    • About 4 real abuse incidents
  • Availability: high uptimes, fast upgrades

CoDeeN Security - HotNets II

daily client population count
Daily Client Population Count

CoDeeN Security - HotNets II

daily request volume
Daily Request Volume

CoDeeN Security - HotNets II

monitors other venues
Monitors & Other Venues
  • Routinely trigger open proxy alerts
    • Educating sysadmins, others
  • Really good honeypots
    • 6000 SMTP flows/minute at CMU
    • Spammers do ~1M HTTP ops/day
  • Early problem detection
    • Failing PlanetLab nodes
    • Compromised university machines

CoDeeN Security - HotNets II

lessons directions
Lessons & Directions
  • Few substitutes for reality
    • Non-dedicated hardware really interesting
    • Failure modes not present in NS-2
  • Stopgap measures pretty effective
    • Very slow arms race
    • Breathing time for better solutions
  • Next: more complex techniques
    • Machine learning, high-dim clustering

CoDeeN Security - HotNets II

more info
More Info

http://codeen.cs.princeton.edu

Thanks:

Intel, HP, iMimic, PlanetLab Central

CoDeeN Security - HotNets II

ad